Skip to content

Commit f233023

Browse files
scoderscoder
committed
Cleaner: Remove SVG image data URLs since they can embed script content.
Reported as GHSL-2021-1038
1 parent 12fa966 commit f233023

File tree

2 files changed

+60
-8
lines changed

2 files changed

+60
-8
lines changed

src/lxml/html/clean.py

Lines changed: 15 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -75,18 +75,25 @@
7575

7676
# All kinds of schemes besides just javascript: that can cause
7777
# execution:
78-
_is_image_dataurl = re.compile(
79-
r'^data:image/.+;base64', re.I).search
78+
_find_image_dataurls = re.compile(
79+
r'^data:image/(.+);base64,', re.I).findall
8080
_is_possibly_malicious_scheme = re.compile(
81-
r'(?:javascript|jscript|livescript|vbscript|data|about|mocha):',
82-
re.I).search
81+
r'(javascript|jscript|livescript|vbscript|data|about|mocha):',
82+
re.I).findall
83+
# SVG images can contain script content
84+
_is_unsafe_image_type = re.compile(r"(xml|svg)", re.I).findall
85+
8386
def _is_javascript_scheme(s):
84-
if _is_image_dataurl(s):
85-
return None
86-
return _is_possibly_malicious_scheme(s)
87+
is_image_url = False
88+
for image_type in _find_image_dataurls(s):
89+
is_image_url = True
90+
if _is_unsafe_image_type(image_type):
91+
return True
92+
if is_image_url:
93+
return False
94+
return bool(_is_possibly_malicious_scheme(s))
8795

8896
_substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub
89-
# FIXME: should data: be blocked?
9097

9198
# FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx
9299
_conditional_comment_re = re.compile(

src/lxml/html/tests/test_clean.py

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,5 @@
1+
import base64
2+
import gzip
13
import unittest
24
from lxml.tests.common_imports import make_doctest
35

@@ -143,6 +145,49 @@ def test_sneaky_import_in_style(self):
143145
cleaned,
144146
"%s -> %s" % (style_code, cleaned))
145147

148+
def test_svg_data_links(self):
149+
# Remove SVG images with potentially insecure content.
150+
svg = b'<svg onload="alert(123)" />'
151+
svgz = gzip.compress(svg)
152+
svg_b64 = base64.b64encode(svg).decode('ASCII')
153+
svgz_b64 = base64.b64encode(svgz).decode('ASCII')
154+
urls = [
155+
"data:image/svg+xml;base64," + svg_b64,
156+
"data:image/svg+xml-compressed;base64," + svgz_b64,
157+
]
158+
for url in urls:
159+
html = '<img src="%s">' % url
160+
s = lxml.html.fragment_fromstring(html)
161+
162+
cleaned = lxml.html.tostring(clean_html(s))
163+
self.assertEqual(
164+
b'<img src="">',
165+
cleaned,
166+
"%s -> %s" % (url, cleaned))
167+
168+
def test_image_data_links(self):
169+
data = b'123'
170+
data_b64 = base64.b64encode(data).decode('ASCII')
171+
urls = [
172+
"data:image/jpeg;base64," + data_b64,
173+
"data:image/apng;base64," + data_b64,
174+
"data:image/png;base64," + data_b64,
175+
"data:image/gif;base64," + data_b64,
176+
"data:image/webp;base64," + data_b64,
177+
"data:image/bmp;base64," + data_b64,
178+
"data:image/tiff;base64," + data_b64,
179+
"data:image/x-icon;base64," + data_b64,
180+
]
181+
for url in urls:
182+
html = '<img src="%s">' % url
183+
s = lxml.html.fragment_fromstring(html)
184+
185+
cleaned = lxml.html.tostring(clean_html(s))
186+
self.assertEqual(
187+
html.encode("UTF-8"),
188+
cleaned,
189+
"%s -> %s" % (url, cleaned))
190+
146191
def test_formaction_attribute_in_button_input(self):
147192
# The formaction attribute overrides the form's action and should be
148193
# treated as a malicious link attribute

0 commit comments

Comments
 (0)